AlienApp for Palo Alto Networks Panorama Actions

As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use Palo Alto Networks Panorama actions to respond to the events in your environment. Rather than manually adding addresses in the Panorama user interface (UI) and entering the relevant information, you can use the AlienApp for Palo Alto Networks Panorama response actions to automatically manage your Palo Alto Networks address groups using information from your USM Anywhere environment. The table below shows the actions.

Actions for the AlienApp for Palo Alto Networks Panorama
Action Description

Add Address to Address Group

Run this action to add the source, destination, or custom address to a group in your Panorama environment. If the group doesn't exist in Panorama, it will be created by the action from USM Anywhere

Remove Address from Address Group Run this action to remove the source, destination, or custom address to a group in your Panorama environment
Add Tag to Address Run this action to add a Panorama tag to an address. You can select either an existing tag from Panorama, or create a new one
Add Tag to Address Group Run this action to add a Panorama tag to an address group. You can select either an existing tag from Panorama, or create a new one
Add Address to URL Category

Run this action to add a source or destination address to a Palo Alto Networks Panorama URL category to allow, alert, or block the URL based on the selected existing profile

You can include optional pre-rule or post-rule policies that are based on your Panorama policy profiles

If you select an Associated Profile in the action, the user will receive an alert if the policy is violated

Add IP to External Block List Run this action to add an IP address to the Palo Alto Networks Panorama external block list
Add Domain to External Block List from Event/Alarm Run this action to add a domain to the Palo Alto Networks Panorama external block list from an event or alarm to restrict their access
Add Domain to External Block List Run this action to add a domain to the Palo Alto Networks Panorama external block list to restrict their access
Add Domain to External Block List from Rule Run this action to add a domain to the Palo Alto Networks Panorama external block list from a rule to restrict their access
Add Domain to External Block List from Orchestration Rule Run this action to add a domain to the Palo Alto Networks Panorama external block list from an orchestration rule to restrict their access
Add IP Address to External Block List from Event/Alarm Run this action to add an IP address to an external block list from an event or alarm to restrict their access
Add IP Address to External Block List from Orchestration Rule Run this action to add an IP address to an external block list from an orchestration rule to restrict their access
Get External Block List Run this action to retrieve the external block list
Add URL to External Block List Run this action to add a URL to the Palo Alto Networks Panorama external block list

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected Panorama instance to add source or destination IP address information to an existing Panorama group. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

To launch a Panorama response action for an alarm, event, or vulnerability

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run Panorama Action.

  5. Select the app action and fill out the fields that are populated in the window.

  6. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.

External Block List

The external block lists for IP addresses, domains, and URLs, are all contained in the AlienApp for Palo Alto Networks Panorama page (Data Sources > AlienApps > Palo Alto Panorama). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains these buttons above the list:

  • Add: Opens a dialog box to add an IP address, domain, or URL to the list.
  • Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or URLs to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.

  • Export: Exports the entire IP address, domain, or URL list as a downloadable .txt file. This enables you to copy your block list to another sensor.
  • Clear: Clears the entire IP address, domain, or URL list.